Does anyone know of a way to rate limit ssh connections from an IP address ? We are starting to see more and more brute force attempts to guess simple passwords "/usr/sbin/inetd -wWl -C 10" is nice for slowing down attempts to services launched via inetd. Is there an equiv method for doing this to sshd? Running from inetd has some issues supposedly. ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike
Have you checked MaxStartups at the sshd_config man page? En un mensaje anterior, Mike Tancsa escribi?:> > Does anyone know of a way to rate limit ssh connections from an IP address > ? We are starting to see more and more brute force attempts to guess > simple passwords "/usr/sbin/inetd -wWl -C 10" is nice for slowing down > attempts to services launched via inetd. Is there an equiv method for > doing this to sshd? Running from inetd has some issues supposedly.
Mike Tancsa <mike@sentex.net> wrote:> Does anyone know of a way to rate limit ssh connections from an IP address?I haven't used it myself, but ipfw (not sure whether it's ipfw2-only) has a limit directive: limit {src-addr | src-port | dst-addr | dst-port} N The firewall will only allow N connections with the same set of parameters as specified in the rule. One or more of source and destination addresses and ports can be specified. If you're getting lots of connects in parallel, that should improve things. Here's another thought, using dummynet: ipfw pipe 1 config bw 1Kbit mask src-ip 0xffffffff ipfw add 10 pipe 1 tcp from any to me 22 setup 1 kbit is 128 bytes/sec, which is roughly 2-3 average SYN packets per second. More than enough for a regular host, but fairly limiting against a flood. You can also implement this at the border: ipfw pipe 1 config bw 1Kbit mask src-ip 0xffffffff dst-ip 0xffffffff ipfw add 10 pipe 1 tcp from any to (LAN) 22 setup (Dropping the dst-ip mask here would limit SYNs from any given IP to your whole LAN.) These aren't tested, but they may give you some ideas. Mark
Mike Tancsa wrote:>Does anyone know of a way to rate limit ssh connections from an IP address?We've used inetd for this for several few years. Works great. Aside from having more connection limiting features inetd is also easier to configure on non-standard ports, uses less memory (1K vs 5K), and has a simpler (and by extension more secure) code base. -- Roger Marquis Roble Systems Consulting http://www.roble.com/
I would strognly suggest that you dont use inetd for running services but running all your services as daemons wich is much faster for the system and safer. I've seen somewhere i think a command for limiting that but i am not sure ... If i find the command i'll tell you ! Take care ;) _________________________________________________________________ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail
Roger Marquis wrote:> Aside from having more connection limiting features inetd is also > easier to configure on non-standard ports, uses less memory (1K vs > 5K), and has a simpler (and by extension more secure) code base. >"slimmy baddog" wrote:> I would strognly suggest that you dont use inetd for running services but > running all your services as daemons wich is much faster for the system >and safer.That used to be the recommendation, back when 50MHz CPUs were the norm. With 1 GHz and faster CPUs the difference between sshd and inetd starting a child sshd is in the millisecond range i.e, impossible to distinguish by look and feel. As to security I think both code bases have had about the same degree of peer review. The smaller size of the inetd code base is what makes it more secure. -- Roger Marquis Roble Systems Consulting http://www.roble.com/